This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alain_Chofardet
Explorer
‎2024-09-17 11:46 PM
Jump to solution

Local and remote subnet overlaps

Hi.

I'm running a R81.20 cluster. I have a series of local networks. One is 192.168.32.0/24.

I have a VPN (I mean running) with an external company. This company needs to access only one of my local subnets (ie 192.168.110.0/24) from a list of subnets.

In that list of subnet, 192.168.32.0/24 also exists.

Currently, the VPN tunnel works, but I have local problems. 

I go to a local machine, (192.168.32.4) and try to ping the gateway (192.168.32.254)

I can see in the logs things like that : VPN blade yield "Clear text packet should be encrypted"

Any idea to explain these 2 192.168.32.0/24 networks have nothing in common ?

Regards

0 Kudos
1 Solution

Accepted Solutions
Lesley
Leader Leader
Leader
‎2024-09-18 01:06 AM
Jump to solution

The log messages makes sense in this case. 192.168.32.254 is part (also) of the remote encryption domain.

Gateway receives unencrypted traffic and drops it because it is expecting encrypted traffic. 

With overlap you need to work with NAT. Does the tunnel traffic need to go in both directions? So remote towards you and you towards remote side? So a bidirectional tunnel? If they only need to connect with you they need to NAT on their side so you don't see the 192.168.32.0 if you need to connect with them you need to NAT. If it is bidirectional tunnel I would recommend to nat on both sides.

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

0 Kudos
3 Replies
emmap
Employee
Employee
‎2024-09-18 12:19 AM
Jump to solution

A network can only exist in one place for the gateway to know where to expect traffic to come from/go to. The ideal solution would be for the external company to NAT their side to an IP/subnet you're not using before they send the traffic down the tunnel. 

0 Kudos
Lesley
Leader Leader
Leader
‎2024-09-18 01:06 AM
Jump to solution

The log messages makes sense in this case. 192.168.32.254 is part (also) of the remote encryption domain.

Gateway receives unencrypted traffic and drops it because it is expecting encrypted traffic. 

With overlap you need to work with NAT. Does the tunnel traffic need to go in both directions? So remote towards you and you towards remote side? So a bidirectional tunnel? If they only need to connect with you they need to NAT on their side so you don't see the 192.168.32.0 if you need to connect with them you need to NAT. If it is bidirectional tunnel I would recommend to nat on both sides.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Alain_Chofardet
Explorer
‎2024-09-18 04:06 PM
In response to Lesley
Jump to solution

Hi. I think the real need is only unidirectional.

So I need to negociate 😉

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events